On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.
The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Under the Rule, vendors of personal health record that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information. 16 C.F.R. §§ 318.3, 318.5. Third-party service providers also are required to notify covered vendors of any breach. 16 C.F.R. § 318.3.
The policy statement takes a broad view of when health apps and connected devices are covered by the Rule. Specifically, the policy statement broadly construes when health apps and connected devices are subject to provisions that apply to “vendors of personal health records that contain individually identifiable health information created or received by health care providers.”
- First, the policy statement takes the view that a developer of any digital health solution that is “capable of drawing information from multiple inputs” is a vendor of a personal health record. Indeed, the policy statement asserts that a health app or connected device that draws information from multiple sources is covered so long as it draws health information from at least one source. According to the statement: “For example, if a blood sugar monitoring app draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar), it is covered under the Rule.”
- Second, the policy statement takes the position that the developer of a health app or connected device – even one that is not a covered entity for purposes of HIPAA – is a “health care provider” because it “furnish[es] health care services or supplies.”
Additionally, the policy statement takes a broad view of what triggers breach notification requirements when the Rule is applicable. Specifically, the policy statement states that there is a “breach of security” for purposes of the Rule “[w]hen a health app, for example, discloses sensitive health information without users’ authorization.” The policy statement notes that the FTC intends to seek civil penalties for violations. Entities that violate the Rule face civil penalties of $43,792 per violation per day.
During the meeting, FTC Chair Lina Khan described the policy statement as consistent with previous guidance, however Republican Commissioners Noah Phillips and Christine Wilson argued that this interpretation may exceed the scope of the Rule, among other concerns. For example, Commissioner Phillips wrote that the majority’s “reading of the relevant texts is convoluted, and apparently beyond what Congress, the Commission, and sister agencies had in mind in drafting them.” Among other points, Commissioner Phillips noted that the FTC specifically declined to include counts alleging violations of the Rule in a complaint earlier this year against Flo Health, despite contrary arguments by two Commissioners. In a separate rulemaking process, the Department of Health and Human Services (“HHS”) is undertaking how to define and treat mobile health applications under its HIPAA Privacy Rule.